High-rate quantum key distribution scheme relying on continuously phase and amplitude-modulated coherent light pulses

ABSTRACT

One aspect of the present invention is related to a quantum cryptographic scheme comprising at least one sending unit including a physical means of encoding and distributing a raw key in the quadrature components of quantum coherent states that are continuously modulated in phase and amplitude, at least one receiving unit containing a physical means of performing homodyne detection of the quantum coherent states in order to measure the quadrature components of the states, a quantum channel for connecting the sending unit to the receiving unit, a two-way authenticated public channel for transmitting non-secret messages between the sending unit and the receiving unit, a quantum key distribution protocol ensuring that the information tapped by a potential eavesdropper can be estimated from the quantum channel parameters, and a direct or reverse reconciliation protocol that converts the raw continuous data into a common binary key.

RELATED APPLICATIONS

[0001] This patent application takes priority from U.S. Provisional Application No. 60/394,330, filed on Jul. 5, 2002, which is hereby incorporated by reference.

FIELD OF THE INVENTION

[0002] The present invention is related to the distribution of a random bit string between two authorised parties, for use as a secret key in a secure i.e., encrypted and authenticated communication.

[0003] The key distribution uses quantum carriers, typically single-photon or strongly attenuated pulses, for encoding the key bits. It is supplemented with classical post-processing algorithms, namely reconciliation and privacy amplification algorithms, in order to distil the secret key.

[0004] The Heisenberg uncertainty principle of quantum mechanics, together with the use of a privacy amplification protocol, guarantees that an unauthorised third party (any eavesdropper) cannot gain any information on the secret key.

STATE OF THE ART

[0005] Quantum key distribution (QKD), usually known as quantum cryptography, is presently the most advanced application of quantum communication. QKD has been proposed in 1984 by C. H. Bennett and G. Brassard as a technique for distributing a secret key, i.e., a random bit string, between two authorised parties that relies on quantum mechanics. This secret key, also called symmetric key, can then be used by the parties to transmit a confidential message by use of a standard cryptographic method such as the Vernam code, which is unconditionally secure. It can also be used to authenticate the communication, i.e., distinguish legitimate messages from fake ones.

[0006] Quantum key distribution requires a quantum channel supplemented with a (classical) authenticated public channel. Typically, a sequence of light pulses is sent in the quantum channel, encoding each a key bit. The quantum properties of light, in particular the Heisenberg uncertainty principle, ensure that no information can be gained on these key bits without disturbing the quantum state of the photons. Public communications over the classical channel are then used to estimate the maximum amount of information that a potential eavesdropper may have acquired, and distil a secret key out of the raw data.

[0007] Several practical schemes for quantum key distribution have been proposed and implemented over the last ten years. The present state-of-the-art quantum cryptographic schemes make use of a binary encoding of the key using ideally single-photon states, or, in practice, very faint coherent states containing on average a fraction of a photon per pulse. The secret key rate is limited due to the need for photon-counting detectors, which have a relatively low maximum repetition frequency in order to keep the detector's afterpulse probability negligible. In addition, the range over which the security is guaranteed is limited by a threshold on the quantum bit error rate, which is reached above a certain attenuation (beyond a certain range) as a consequence of the detector's dark counts. A review of quantum cryptography can be found in ref.¹.

[0008] Another potential implementation of QKD that was raised very recently consists in using quantum continuous variables (QCV)²⁹, such as the electric field amplitudes, to obtain possibly more efficient alternatives to usual photon-counting QKD techniques.

[0009] Many recent proposals²⁻¹⁰ to use QCV for QKD have been made that are based on the use of “non-classical” light beams, namely squeezed light or entangled light beams (“EPR beams”). In contrast, embodiments of the present invention discuss the use of “quasi-classical” (coherent) light beams. U.S. Pat. No. 5,515,438, hereby incorporated by reference, describes a quantum key distribution using non-orthogonal macroscopic signals.

SUMMARY OF CERTAIN ASPECTS OF THE INVENTION

[0010] Embodiments of the present invention are a potential alternative to the usual single-photon quantum cryptographic techniques devised so far. Key carriers used are quasi-classical (coherent) light pulses that contain many photons and are continuously modulated in amplitude and phase¹¹. The continuous raw data is then converted into a usable binary key using a continuous reconciliation protocol^(9,22). In contrast to previous proposals, this shows that there is no need for squeezed light in the context of QCV QKD: an equivalent level of security may be obtained simply by generating and transmitting continuous distributions of coherent states, an easier task compared to generating squeezed states or single-photon states.

[0011] More specifically, embodiments of the present invention distribute secret keys at a high rate over long distances. A protocol uses shot-noise limited coherent (homodyne) detection, which works at much higher repetition frequencies than single-photon detectors, so that high secret-bit rates can indeed be achieved. It remains, in principle, secure for very lossy transmission lines by use of a reverse reconciliation algorithm, so it may therefore be used over long distances.

[0012] One further goal of the invention is to demonstrate the practicability of the QCV QKD protocol when using Gaussian-modulated coherent states that are laser pulses containing several photons. The scope of the invention is not restricted to Gaussian distributions (other continuous distributions may be used as well) but this makes the demonstration easier. Embodiments of the invention cover the security analysis of the protocol and a proof-of-principle experimental implementation, followed by the complete secret key extraction, including data reconciliation and privacy amplification. The tested set-up yields a secret key rate of approximately 1.7 Mbps for a lossless line and of 75 kbps for a 3.1 dB line.

[0013] Embodiments of this invention describe the distribution of a secret key between two remote parties by use of quantum coherent states, e.g., attenuated laser pulses, that are continuously modulated in phase and amplitude. Coherent (homodyne) detection is then performed by the receiver in order to measure the quadrature components of these states.

[0014] One protocol embodiment of the invention ensures that the information a potential eavesdropper may gain at most can be estimated from the measured parameters characterising the channel (line attenuation and error rate). Using an authenticated public (classical) channel, the resulting raw data (partly correlated continuous variables) can be converted into a secret binary key by using a (direct or reverse) reconciliation protocol supplemented with privacy amplification. The resulting key can then be used as a private key in order to ensure the confidentiality and/or authentication of a transmission using standard cryptographic techniques.

[0015] Aspects of the quantum continuous-variable cryptographic scheme include the continuous distribution of coherent states. This is in contrast with all other schemes, which rely on a binary encoding. Here, the encoding of continuous variables into the quadrature components of a coherent state makes it possible to encode several key bits per coherent pulse. Also, the use of homodyne detection techniques to measure the quadrature components of the light field allows this scheme to work at high frequencies by comparison with photon-counting techniques.

[0016] Other aspects of the scheme include the use of a continuous reconciliation protocol in order to convert the raw key resulting from the first item into a usable binary key. A direct or reverse reconciliation protocol may be used depending on the line parameters. For lines with an attenuation that exceeds 3 dB, reverse reconciliation must be used in order to ensure the security. There is, in principle, no limit on the achievable range using reverse reconciliation, but practical considerations (noise in the apparatuses, in particular in the coherent detection system, non-unity efficiency of the reconciliation protocols) put a limit on the range over which the key can be securely distributed. For very noisy lines with low losses, direct reconciliation is preferred.

[0017] In one embodiment of the present invention there is a quantum cryptographic system, comprising at least one sending unit comprising an encoder and distributing a raw key in the quadrature components of quantum coherent states that are continuously modulated in phase and amplitude; at least one receiving unit comprising a homodyne detector of the quantum coherent states in order to measure the quadrature components of the states; a quantum channel for connecting the sending unit to the receiving unit; and a two-way authenticated public channel for transmitting non-secret messages between the sending unit and the receiving unit.

[0018] According to one embodiment, the quantum cryptographic system further comprises a continuous-variable quantum key distribution protocol ensuring that the amount of information a potential eavesdropper may gain at most on the sent and received data can be estimated from the measured parameters of the quantum channel (error rate and line attenuation).

[0019] The sent and received raw data resulting from the continuous-variable protocol are converted into a secret binary key by using a continuous reconciliation protocol supplemented with privacy amplification.

[0020] According to one embodiment, the encoder of the quadrature components with a high signal-to-noise ratio encodes several key bits per coherent light pulse.

[0021] According to another embodiment, the decoding of the quadrature components of the light field via the homodyne detector achieves high secret bit rates in comparison to photon-counting techniques.

[0022] In case of noisy quantum channels with low losses, the continuous reconciliation protocol is a direct reconciliation protocol, which allows the receiver to discretize and correct its data according to the sent values.

[0023] In case of quantum channels with an attenuation that exceeds 3 dB, the continuous reconciliation protocol is a reverse reconciliation protocol, which allows the sending unit to discretize and correct its data according to the values measured by the receiver.

[0024] The key secret can be used as a private key for ensuring confidentiality and authentication of a cryptographic transmission.

[0025] According to one embodiment, the quadrature components of the quantum coherent states are modulated with a Gaussian distribution, the coordinate values of the center of the Gaussian distribution being arbitrary.

[0026] According to another embodiment, the variance of the Gaussian distribution for the quadrature X is different from the variance of the Gaussian distribution for the conjugate quadrature P.

[0027] According to another embodiment, the Gaussian-modulated coherent sates are attenuated laser light pulses typically containing several photons.

[0028] The information, an eavesdropper may gain on the sent and received Gaussian-distributed values, can be calculated explicitly using Shannon's theory for Gaussian channels.

[0029] In another embodiment of the present invention there is a method of distributing continuous quantum key between two parties which are a sender and a receiver, the method comprising selecting, at a sender, two random numbers x_(A) and p_(A) from a Gaussian distribution of mean zero and variance V_(A)N₀, where N₀ refers to the shot-noise variance; sending a corresponding coherent state |x_(A)+ip_(A)> in the quantum channel; randomly choosing, at a receiver, to measure either quadrature x or p using homodyne detection; informing the sender about the quadrature that was measured so the sender may discard the wrong one; measuring channel parameters on a random subset of the sender's and receiver's data, in order to evaluate the maximum information acquired by an eavesdropper; and converting the resulting raw key in the form of a set of correlated Gaussian variables into a binary secret key comprising direct or reverse reconciliation in order to correct the errors and get a binary key, and privacy amplification in order to make secret the binary key.

[0030] The reconciliation can produce a common bit string from correlated continuous data, which comprises the following: transforming each Gaussian key element of a block of size n by the sender into a string of m bits, giving m bit strings of length n, referred to as slices; converting, by the receiver, the measured key elements into binary strings by using a set of slice estimators; and sequentially reconciliating the slices by using an implementation of a binary error correction algorithm, and communicating on the public authenticated channel.

[0031] The post-processing of privacy amplification can comprise distilling a secret key out of the reconciliated key by use of a random transformation taken in a universal class of hash functions.

[0032] Informing the sender can comprise utilizing a public authenticated channel by the receiver to inform the sender. The channel parameters can include an error rate and a line attenuation.

[0033] In another embodiment of the present invention there is a device for implementing a continuous-variable quantum key exchange, the device comprising a light source or a source of electromagnetic signals configured to generate short quantum coherent pulses at a high repetition rate; an optical component configured to modulate the amplitude and phase of the pulses at a high frequency; a quantum channel configured to transmit the pulses from an emitter to a receiver; a system that permits the transmission of a local oscillator from the emitter to the receiver; a homodyne detector capable of measuring, at a high acquisition frequency, any quadrature component of the electromagnetic field collected at the receiver's station; a two-way authenticated public channel that is used to communicating non-secret messages in postprocessing protocols; and a computer at the emitter's and receiver's stations that drives or reads the optical components and runs the postprocessing protocols.

[0034] Alternatively, a local oscillator can be transmitted together with the signal by use of a polarization encoding system whereby each pulse comprises a strong local oscillator pulse and a weak orthogonally-polarized signal pulse with modulated amplitude and phase.

[0035] If polarization encoding is used, the receiving system relies on polarization-mode homodyne detection requiring a quarter-wave plate and a polarizing beam splitter.

[0036] In another embodiment of the present invention, there is a device for exchanging Gaussian key elements between two parties which are a sender and a receiver, the device comprising a laser diode associated with a grating-extended external cavity, the laser diode configured to send light pulses at a high repetition rate, each pulse typically containing several photons; an integrated electro-optic amplitude modulator and a piezoelectric phase modulator, configured to generate randomly-modulated light pulses, the data being organized in bursts of pulses; a beam-splitter to separate the quantum signal from a local oscillator; and a homodyne detector combining the quantum signal and local oscillator pulses in order to measure one of the two quadrature components of the light field.

[0037] The device may further comprise an acquisition board and a computer on the sender's and receiver's sides in order to run the post-processing protocols described here above.

[0038] The laser can operate at a wavelength comprised between about 700 and about 1600 nm, or the laser can operate at a wavelength comprising telecom wavelengths between about 1540 and 1580 nm.

[0039] The device may additionally comprise means for selecting, at the emitter, two random numbers x_(A) and p_(A) from a Gaussian distribution of mean zero and variance V_(A)N₀, where N₀ refers to the shot-noise variance; means for sending a corresponding coherent state |x_(A)+ip_(A)> in the quantum channel; means for randomly choosing, at the receiver, to measure either quadrature x or p using homodyne detection; means for informing the emitter about the quadrature that was measured so the emitter may discard the wrong one; means for measuring channel parameters on a random subset of the emitter's and receiver's data, in order to evaluate the maximum information acquired by an eavesdropper; and means for converting the resulting raw key in the form of a set of correlated Gaussian variables into a binary secret key comprising direct or reverse reconciliation in order to correct the errors and get a binary key, and privacy amplification in order to make secret the binary key.

BRIEF DESCRIPTION OF THE DRAWINGS

[0040]FIG. 1 is a diagram of one configuration of components demonstrating embodiments of the present invention.

[0041]FIG. 2 is a diagram representing Bob's measured values of the quadrature component as a function of Alice's sent values (in Bob's measurement basis) for a burst of 60,000 pulses exchanged between Alice and Bob in the configuration shown in FIG. 1.

[0042]FIG. 3. is a diagram representing the channel equivalent noise χ as a function of the channel transmission G, adjusted using a variable attenuator on the signal line.

[0043]FIG. 4 is a diagram representing the values of I_(BA) (increasing curve), I_(AE) (decreasing curve), I_(BE) (inverse U-shaped curve) as a function of the channel transmission G for V≈40.

DESCRIPTION OF CERTAIN EMBODIMENTS OF THE PRESENT INVENTION

[0044] One realisation of this quantum cryptographic scheme consists in modulating the quadrature components of coherent light pulses with a Gaussian distribution. The corresponding protocol is demonstrated in what follows. Dealing with Gaussian distributions makes the security of the entire protocol easier to analyse, but the scope of the present invention is not limited to such random distributions. Alternative continuous distributions may be used as well. Other improvements of the present invention can be foreseen, such as the use of more efficient reconciliation protocols that may potentially increase the achievable range.

[0045] The protocol described herein works by continuously modulating the phase and amplitude of coherent light pulses and measuring the quadrature components of the received coherent states. This clearly gives very important practical advantages to such a protocol, in view of the simplicity of the techniques needed to preparing and detecting coherent states. In particular, the high dimensionality of the phase space may be exploited by modulating the phase and amplitude quadratures with a large dynamics, allowing the encoding of several key bits per pulse. This, together with the fact that fast modulation and detection can be achieved, results in a high-rate secret key distribution.

[0046] This protocol, supplemented with a direct reconciliation scheme, can be shown to be secure provided that the transmission of the line is larger than 50%, i.e., the transmission loss is less than 3 dB¹¹. This is in accordance with the fact that QKD fundamentally relies on the use of non-orthogonal states only and may perfectly well work with macroscopic signals instead of single photons (see U.S. Pat. No. 5,515,438). The security of the protocol is related to the no-cloning theorem¹²⁻¹⁴, and non-classical features like squeezing or EPR correlations have no influence on the achievable secret key rate. The 3 dB loss limit of these protocols makes the security demonstration quite intuitive, but there may exist in principle multiple ways for two user/partners, e.g., Alice and Bob, to go beyond this limit, for instance by using QCV entanglement purification¹⁵.

[0047] The concept of reverse reconciliation, detailed below, is an efficient technique to cross this 3 dB limit that does not require the generation and purification of entanglement, but only a modified classical post-processing. The corresponding coherent-state protocol can, in principle, be secure for any value of the line transmission^(18,23). There is therefore no theoretical limit on the achievable range over which security can be guaranteed. In addition, it can be shown that the cryptographic security is strongly linked with entanglement, even though the protocol does not rely on entanglement.

[0048] Referring to FIG. 1, a configuration of components demonstrating embodiments of the present invention will be described. The components are partitioned into exemplary use by two users, Alice and Bob. The components include the following: Laser diode 102: e.g., SDL 5412 lasing at 780 nm; OI 104: e.g., optical isolator; λ/2 106: e.g., half-wave plate; AOM 108: e.g., acousto-optic modulator; MF 110: e.g., polarization maintaining monomode fibre; OD 112: e.g., optical density (attenuator); EOM 114: e.g., integrated LiNbO₃ electro-optic amplitude modulator; PBS 116: e.g., polarizing beam splitter; BS 118: e.g., beam splitter inducing variable attenuation; and PZT 120: e.g., piezo-electric transductor. The lenses are marked with a “f” followed by their focal lengths in millimeters. R and T are reflection and transmission coefficients.

[0049] The basic idea behind reverse reconciliation is to interchange the roles of Alice and Bob when converting the measured data into a common binary key, that is, Alice attempts to guess what was received by Bob rather than Bob guessing what was sent by Alice. Consequently, Alice always has an advantage over a potential eavesdropper, Eve, as the latter only has a noisy estimate of Alice's data at their disposal in order to guess Bob's data. This is, roughly speaking, the mechanism that ensures the security of these new protocols.

[0050] In the description below, the concept of coherent-state QKD supplemented with reverse reconciliation is introduced and then an individual attack using an entangling cloner is described. An explicit expression of the maximum achievable secret key rate is deduced. A table-top experiment that generates streams of data corresponding to the protocol will be described. Although Alice and Bob are not fully separated in the present implementation, the data are created by the same physical process and thus have the same structure as they would have in a real cryptographic exchange. Explicitly how to process the experimental data to extract the secret key will be demonstrated, that is, reverse reconciliation and privacy amplification protocols is performed. Finally, a quantitative evaluation of the expected performances of the scheme in a realistic key exchange is given.

[0051] Coherent-State Quantum Key Exchange and Reconciliation Protocols

[0052] In a QKD protocol such as BB84, Alice and Bob randomly choose one out of two complementary bases for respectively preparing and measuring a quantum signal, so their data are significant only when their bases are compatible. After this quantum exchange, they thus have to agree on a common basis and discard the wrong measurements. According to the present invention, we make use of a coherent-state protocol that extends this principle to QCV and runs as follows¹¹. First, Alice draws two random numbers x_(A) and p_(A) from a Gaussian distribution of mean zero and variance V_(A)N₀, where N₀ denotes the shot-noise variance, and then she sends to Bob the coherent state |x_(A)+ip_(A)>. Next, Bob randomly chooses to measure either the quadrature x or p. Then, using a public authenticated channel, he informs Alice about the quadrature that he measured so she may discard the wrong one. After running this protocol several times, Alice and Bob (and possibly the eavesdropper Eve) share a raw key, that is, a set of correlated Gaussian variables that are called key elements. After this quantum exchange, Alice and Bob must convert this raw key into a binary secret key by proceeding with the various steps described below including channel evaluation, direct or reverse reconciliation (to correct the errors and make the key binary), and privacy amplification (to make the key secret).

[0053] Channel Evaluation

[0054] First, Alice and Bob openly compare a sample of their key elements over the classical public channel in order to evaluate the error rate and transmission efficiency of the quantum channel. The sacrificed key elements must be chosen randomly and uniformly, so that they are representative of the whole sequence, and are unknown in advance to Eve. Knowing the correlations between their key elements, Alice and Bob can then evaluate the amount of information they share (I_(AB)) as well as the information that Eve can have about their values (I_(AE) and I_(BE)).

[0055] The estimated amount of eavesdropped information has some significance later on, in the privacy amplification procedure, when Eve's knowledge is destroyed. Indeed, it is known that Alice and Bob can in principle distil a secret key with a size S>sup(I_(AB)−I_(AE), I_(AB)−I_(BE)) bits per key element²⁴. Thus, if S>0, they can extract a common key from their correlated key elements by performing one-way classical communication over a public authenticated channel, revealing as little information as possible to Eve. There are actually two main options for doing this key extraction that are closely related to the above expression for S, namely performing either direct or reverse reconciliation.

[0056] Direct Reconciliation (DR)

[0057] Alice publicly sends correction information, revealing R bits, so Bob corrects his key elements to have the same values as Alice. At the end of this step, Alice and Bob have a common bit string of length I_(AB)+R, and Eve knows I_(AE)+R bits of this string (slightly more if the reconciliation protocol is not perfect). Therefore Alice and Bob get a useable secret key if (I_(AB)−I_(AE))>0 at the beginning. We call this “direct reconciliation” (DR) because the classical information flow has the same direction as the initial quantum information flow. Direct reconciliation is quite intuitive, but it is not secure as soon as the quantum channel efficiency falls below 50%¹¹. It may prove useful, however, for very noisy low-loss quantum channels.

[0058] Reverse Reconciliation (RR)

[0059] Alternatively, in a reverse reconciliation protocol, Bob publicly sends correction information and Alice corrects her key elements to have the same values as Bob. Since Bob gives the correction information, this reconciliation keeps (I_(AB)−I_(BE)) constant, and provides a useable key if (I_(AB)−I_(BE))>0. We call this “reverse reconciliation” (RR) because Alice needs to estimate what will be measured by Bob. Such a procedure is actually closer, in spirit, to single-photon QKD as there Bob simply communicates to Alice the time slots where he did not detect a photon (Alice thus reconciliates her data with Bob's measured values).

[0060] Privacy Amplification

[0061] The last step of a practical QKD protocol consists in Alice and Bob performing privacy amplification to filter out Eve's information. This can be done by properly mixing the reconciliated bits so as to spread Eve's uncertainty over the entire final key as described above. This procedure requires having an estimate of the amount of information collected by Eve on the reconciliated key, so we need to have a bound on I_(AE) for DR or on I_(BE) for RR. In addition, Alice and Bob must keep track of the number of bits exchanged publicly during reconciliation since Eve might have monitored them. This knowledge is destroyed at the end of the privacy amplification procedure, reducing the key length by the same amount. For a coherent state protocol, the DR bound on I_(AE) given in ¹¹ leads to a security limit for a 50% line transmission as mentioned above. The RR bound on I_(BE), is now established and shown that it is not associated with a minimum value of the line transmission.

[0062] Eavesdropping Strategy Based on an Entangling Cloner

[0063] In order to eavesdrop a reverse reconciliation scheme, Eve needs to guess the result of Bob's measurement without superimposing too much noise on Bob's data. We will call “entangling cloner”^(18,32) a system allowing her to do so. Such a cloner creates two quantum-correlated copies of Alice's quantum state, so Eve simply keeps one of them and sends the other one to Bob. Let (x_(in), p_(in)) be the input field quadratures of the entangling cloner, and (x_(B),p_(B)), (x_(E),p_(E)) the quadratures of Bob's and Eve's output fields. To be safe, Alice and Bob must assume Eve uses the best possible entangling cloner knowing Alice-Bob's channel quality: Eve's cloner should minimise the conditional variances^(16,17) V(x_(B)|x_(E)) and V(p_(B)|p_(E)), i.e., the variance of Eve's estimates of Bob's field quadratures (x_(B),p_(B)). As described above, these variances are constrained by Heisenberg-type relations, which limit what can be obtained by Eve,

V(x _(B) |x _(A))V(p _(B) ≡p _(E))>N ₀ ² and V(p _(B) |p _(A))V(x _(B) |x _(E))>N ₀ ⁰  (1)

[0064] where V(x_(B)|x_(A)) and V(p_(B)|p_(A)) denote Alice's conditional variances. This means that Alice and Eve cannot jointly know more about Bob's conjugate quadratures than allowed by the Heisenberg principle, even if they conspire together. As we shall see, Alice's conditional variances can be bounded by using the measured parameters of the quantum channel, which in turn makes it possible to bound Eve's variance. Here, the channel is described by the linearized relations x_(B)={square root}G_(x)(x_(in)+B_(x)) and p_(B)={square root}G_(p)(p_(in)+B_(p)), with <x_(in) ²>=<p_(in) ²>=VN₀≧N₀, <B_(x,p) ²>=χ_(x,p)N₀, and <x_(in)B_(x)>=<p_(in)B_(p)>=0. The quantities χ_(x), χ_(p) represent the channel noises referred to its input, also called equivalent input noises¹⁶⁻¹⁷, while G_(x), G_(p) are the channel gains for x and p (G_(x,p)<1 for a lossy transmission line), and V is the variance of Alice's field quadratures in shot-noise units (V=V_(A)+1).

[0065] Now comes the crucial point of the demonstration. The output-output correlations of the entangling cloner, described by V(x_(B)|x_(E)) and V(p_(B)|p_(E)), should only depend on the density matrix D_(in) of the field (x_(in),p_(in)) at its input, and not on the way Alice produced this field namely whether it is a Gaussian mixture of coherent states or one of two EPR-correlated beams. Inequalities (1) thus have to be fulfilled for every physically allowed values of V(x_(B)|x_(A)) and V(p_(B)|p_(A)) given D_(in). If we look for a bound to Eve's knowledge by using (1), we have thus to use the smallest possible value for V(x_(B)|x_(A)) and V(p_(B)|p_(A)) given D_(in). In particular, we must assume that Alice uses EPR beams to maximise her knowledge of Bob's results, even though she does not do so in practice. The two-mode squeezing (or entanglement) that Alice may use is, however, bounded by the variance of her field V, which in turn implies a limit on how well Alice can know Bob's signal as described above:

V(p _(B) |p _(A))>G _(p)(χ_(p) +V ⁻¹)N ₀ and V(x _(B) |x _(A))≧G _(x)(χ_(x) +V ⁻¹)N ₀  (2)

[0066] These lower bounds may be compared with the actual values if Alice sends coherent states, that is, V(x_(B)|x_(A))_(coh)=G_(x)(χ_(x)+1)N₀ and V(p_(B)|p_(A))_(coh)=G_(p)(χ_(p)+1)N₀. Nevertheless, if we look for an upper bound on Eve's knowledge by using (1), we need to use the pessimistic limits given by (2), which implies

V(x _(B) |x _(E))≧N ₀ /{G _(p)(χ_(p) +V ⁻¹)} and V(p_(B) |p _(E))≧N ₀ /{G _(x)(χ_(x) +V ⁻¹)}  (3)

[0067] It is worthwhile asking whether Eve can reach these bounds. In a practical QKD scheme, Alice and Bob will give the same roles to x and p, and Bob will randomly choose one of them, as explained above. Assuming therefore that G_(x)=G_(p)=G and χ_(x)=χ_(p)=χ, the two bounds of (3) reduce to V(B|E)≧N₀/{G(χ+V⁻¹)}. An entangling cloner achieving this limit can be sketched as follows. Eve uses a beamsplitter with a transmission G<1 to split up a part of the signal transmitted from Alice to Bob, and she injects into the other input port a field E_(m) that will induce a noise with the appropriate variance at Bob's end. In order to fully control this field E_(m), Eve will inject one of two EPR-correlated beams, and she will keep the second one until Alice and Bob have revealed their bases. This ensures Eve is maximally entangled with Bob's field, compatible with the noise observed by Bob (this is an “entangling” attack). A straightforward calculation¹⁸ shows that such an entangling cloner does reach the lower limit of (3).

[0068] Security Condition and Secret Bit Rate for a Reverse Reconciliation Protocol

[0069] In a reverse quantum cryptography protocol, Eve's ability to infer Bob's measurement is limited by the inequalities (3) and one must assume that a “perfect” Eve is able to reach these limits. In order to estimate the limits on information rates, we use Shannon's theory for Gaussian additive-noise channels (Shannon). The information shared by Alice and Bob is given by the decrease of Bob's field entropy that comes with the knowledge of Alice's field, i.e., I_(AB)=H(B)−H(B|A). For a Gaussian distribution, the entropy is given, up to a constant, by H(B)=(1/2)log₂(V_(B)) bits per symbol, where V_(B) is the variance. For simplicity, we assume here that the channel gains and noises, and the signal variances are the same for x and p. In practice, deviations from this should be estimated by statistical tests). Thus, according to Shannon's formula, the information rates I_(BA) and I_(BE) are given by:

I _(BA)=(1/2)log₂ [V _(B)/(V _(B|A))_(coh)]=(1/2)log₂[(V+χ)/(1+χ)]  (4a)

I _(BE)=(1/2)log₂ [V _(B)/(V _(B|E))_(min)]=(1/2)log₂ [G ²(V+χ)(V ⁻¹+χ)]  (4b)

[0070] where V_(B)=<x_(B) ²>=<p_(B) ²>=G(V+χ)N₀ is Bob's variance, (V_(B|E))_(min)=V(x_(B)|x_(E))min=V(p_(B)|p_(E))_(min)=N₀/{G(χ+V⁻¹)} is Eve's minimum conditional variance, and (V_(B|A))_(coh)=V(x_(B)|x_(A))_(coh)=V(p_(B)|p_(A))_(coh)=G(χ+1)N₀ is Alice's conditional variance for a coherent-state protocol. The secret information rate for such a reverse reconciliation protocol is thus^(18,32)

ΔI _(RR) =I _(BA) −I _(BE)=−(1/2)log₂ [G ²(1+χ)(V ⁻¹+χ)]  (5)

[0071] and the security is guaranteed (ΔI>0) provided that G²(1+χ)(V⁻¹+χ)<1. For a direct reconciliation protocol, a similar calculation gives ΔI_(DR)=I_(AB)−I_(AE)=(1/2)log₂[(V+χ)/(1+Vχ)] so the security is guaranteed if χ<1. The equivalent input noise χ includes two contributions: one is the “vacuum noise” due to the losses along the line, given by χ_(vac)=(1−G)/G. The noise above vacuum noise, which we call “excess noise”, is defined as ε=χ−χ_(vac)=χ−(1−G)/G. In the limit of high losses (G<<1) one has ΔI_(RR)≈−(1/2)log₂[1+G(2ε+V⁻¹−1)], and thus the protocol will be secure provided that ε<(V−1)/(2V)˜1/2. Therefore RR may indeed be secure for any value of the line transmission G provided that the amount of excess noise E is not too large. This is an important difference with DR, which may tolerate large excess noise but requires low line losses since we have the conditions G>1/2 and ε<(2G−1)/G.

[0072] It should be emphasised that squeezing and entanglement do play a crucial role in the security demonstration, even though we deal with a coherent state protocol. This is because the bound on I_(BA) is obtained by assuming that Alice may use squeezed or entangled beams, and the bound on I_(BE) can be achieved only if Eve uses an entangling attack. Therefore, though we did not consider the most general situation of a collective and/or non-Gaussian attack on the whole key exchange between Alice and Bob, we can reasonably conjecture that the security proof encompasses all eavesdropping strategies.

[0073] Detailed Description of an Experimental Optical Set-Up

[0074] In order to exchange correlated sets of Gaussian variables with Bob, Alice sends randomly modulated light pulses of 120 ns duration at a 800 kHz repetition rate. Each pulse contains up to 250 photons, and Bob performs an homodyne measurement of either x or p, using local oscillator (LO) pulses, containing about 10⁸ photons, that are also transmitted to him. One configuration of an experimental set-up³² is shown on FIG. 1. The channel losses are simulated by inserting a variable attenuator between Alice and Bob. FIG. 2 shows a data burst of 60,000 pulses measured by Bob, as a function of the amplitude sent by Alice in Bob's measurement basis. The line transmission is 100% and the modulation variance is V=41.7. The solid line is the theoretical prediction (slope equal to one), and the insert shows the corresponding histograms of Alice's (gray curve) and Bob's (black curve) data.

[0075] The laser source consists of a commercially available CW laser diode (SDL 5412) at 780 nm associated with an acousto-optic modulator, that is used to chop pulses with a duration 120 ns (fall width half-maximum), at a repetition rate 800 kHz. In order to reduce excess noise, a grating-extended external cavity is used, and the beam is spatially filtered using a polarisation maintaining single mode fibre. Light pulses are then split onto a 10% reflecting beam-splitter, one beam being the local oscillator (LO), the other Alice's signal beam. The data is organised in bursts of 60000 pulses, separated by time periods that are used to lock the phase of the LO and sequences of pulses to synchronise the parties. In the present experiment, there is a burst every 1.6 seconds, which corresponds to a duty cycle of about 5%, but this should be easy to improve.

[0076] The desired coherent state distribution is generated by Alice by modulating randomly both the amplitude and phase of the light pulses with the appropriate probability law. In the present experiment, the amplitude of each pulse is arbitrarily modulated at the nominal 800 kHz rate. However, due to the unavailability of a fast phase modulator at 780 um, the phase is not randomly modulated but scanned continuously from 0 to 2π using a piezoelectric modulator. For such a determinist phase variation, the security of the protocol is of course not warranted and thus no genuine secret key can be distributed. However, the experiment provides realistic data, that will have exactly the awaited structure provided that random phase permutation on Bob's data are performed. The amplitude modulator is an integrated electro-optic LiNbO₃ Mach-Zehnder interferometer, allowing for small voltages inputs (V_(π)=2.5V) at 780 nm. All voltages for the electro-optic modulator or the piezoelectric transductor are generated by an acquisition board (National Instruments PCI6111E) connected to a computer. Though all discussions assume the modulation to be continuous, digitised voltages are obviously used in practice. With the experimental parameters, a resolution of 8 bits is enough to hide the amplitude or phase steps under shot noise. Since the modulation voltage is produced using a 16 bits converter, and the data is digitised over 12 bits, we may fairly assume the modulation to be continuous. Due to an imbalance between the paths of the interferometer, the modulator extinction is not strictly zero. In the present experiment that is only aimed at a proof of principle, the offset field from the data received by Bob is subtracted. In a real cryptographic transmission, the offset field should be compensated by Alice, either by adding a zeroing field, or by using a better modulator. For each incoming pulse, either the x or p signal quadrature is measured by appropriate switching of the LO phase. The homodyne detection was checked to be shot-noise limited for LO power up to 5×10⁸ photons/pulse. The overall homodyne detection efficiency is 0.76, due to the optical transmission (0.9), the mode-matching efficiency (0.92) and the photodiode quantum efficiency (0.92).

[0077] The experiment is thus carried out in such a way that all useful parameters—such as photon numbers, signal to noise ratios, added noises, information rate, etc.—can be measured experimentally. Reconciliation and privacy amplification protocols can thus be performed in realistic—though not fully secret—conditions. The limitations of the present set-up are essentially due to the lack of appropriate fast amplitude and phase modulator at 780 nm. This should be easily solved by operating at telecom wavelengths (1540-1580 nm) where such equipment is readily available.

[0078] Referring to FIG. 3, the curve is the theoretical prediction χ_(vac)=(1−G)/G. The error bars include two contributions with approximately the same size, from statistics (evaluated over bursts of 60,000 pulses) and systematics (calibration errors and drift). After the quantum exchange, Alice and Bob evaluate the total added noise by calculating the variance of the difference between their respective values. This variance has four contributions: the shot noise N₀, the channel noise χN₀, the electronics noise of Bob's detector (N_(el)=0.26N₀), and the noise due to imperfect homodyne detection efficiency (N_(hom)=0.32N₀). In the absence of line losses, the measured χ is (0.01±0.04), while it is expected to be zero. This is attributed to various calibration errors and drifts in the set-up, and gives an idea of the experimental uncertainty in the evaluation of the channel noise. In presence of line losses, the measured χ increases as (1−G)/G as expected, see FIG. 3.

[0079] Referring to FIG. 4, the value of I_(BE) is calculated by assuming that Eve cannot know the noises N_(el) and N_(hom), which are internal to Bob's detector. This corresponds to a “realistic” hypothesis, where the noise of Bob's detector is not controlled by Eve. The theoretical value of I_(AE) is also plotted in order to compare RR with DR.

[0080] The detection noises N_(el) and N_(hom) originate from Bob's detection system only, so one may reasonably assume that they do not contribute to Eve's knowledge. In this “realistic” approach, I_(BE) is given by Eq.(4b) with χ being the channel noise (i.e., subtracting the detection noises). In FIG. 4, I_(BE) is plotted together with the value of I_(BA) as given by Eq. (4a), where χ is now the total equivalent noise including both transmission and detection. The difference between these two curves gives the achievable secret key rate in reverse reconciliation ΔI_(RR) as a function of the line transmission G. We also show Alice-Eve information I_(AE)=(1/2)log₂[(V+χ⁻¹)/(1χ⁻¹)], corresponding to a direct reconciliation protocol¹¹, with χ being the channel noise. The comparison of the DR and RR protocols is straightforward by looking at FIG. 4.

[0081] Computer Simulation of the Secret Key Distillation

[0082] One aspect in the protocol is to design a (direct or reverse) reconciliation algorithm that can efficiently extract a binary common key from the measured data. A computer program that performs the various steps of secret key distillation described above, namely channel evaluation, reconciliation, and privacy amplification³² was written. Under the scope of this “proof-of-principle” experiment, Alice and Bob are simulated on the same computer, although it poses no fundamental problem to make them remotely communicate over a network. This would require the use of a classical public authenticated channel in addition to the quantum channel. The designed program accepts as input the sequences of Alice's sent values and Bob's measurement outcomes, and produces a secret key as detailed below. First, Alice's and Bob's key elements are compared in order to measure the relevant parameters of the quantum channel, namely the overall transmission G and added noise χ. The estimation of Eve's knowledge is based on Eq. (4), that gives a bound on I_(BE) once G and χ are known to Alice and Bob. Then, a reconciliation algorithm is performed, with as few leaked bits to Eve as possible. Protocols based on discrete quantum states such as BB84²⁰ can use a discrete reconciliation protocol, for example Cascade²¹. In contrast, since continuous key elements are produced here, we instead needed to develop a “sliced” reconciliation algorithm^(9,22), which produces a common bit string from correlated continuous key elements as described above. Finally, we carry out privacy amplification in such a way that, loosely speaking, every bit of the final key is a function of most if not all of the reconciliated bits. Following²³⁻²⁵, we can reduce the size of the key by (nI_(BE)+r+Δ(n)) bits, where r indicates the public information leaked during the reconciliation of the sequence of size n, and Δ(n) is an extra security margin as described above. This follows from the assumption that Eve can only use individual attacks, so that we can consider key elements and eavesdropping as independent repetitions of identical random processes.

[0083] Demonstration of Relevant Heisenberg Relations

[0084] Let us consider the situation where Alice tries to evaluate x_(B), and Eve tries to evaluate p_(B) in a reverse reconciliation protocol. The corresponding estimators can be de noted as αx_(A) for Alice and βp_(E) for Eve, where α and β can be taken as real numbers. The errors for these estimators will be x_(B|A, α)=x_(B)−αx_(A), and p_(B|E,β)=p_(B)−βp_(E). Since all operators for Alice, Bob and Eve commute, one has obviously [x_(B|A,α),p_(B|E,β)]=[x_(B),p_(B)] and thus we get the Heisenberg relation Δx_(B|A,α) ² Δp_(B|E,β) ²≧N₀ ². Since the conditional variances are by definition given by V(x_(B)|x_(A))=min_(α){Δx_(B|A,α) ²} and V(p_(B)|p_(E))=min_(β){Δp_(B|E,β) ²}, we obtain the expected relation V(x_(B)|x_(A))V(p_(B)|p_(E))≧N₀ ². Exchanging the roles of x and p, one gets also the symmetrical relation V(p_(B)|p_(A))V(x_(B)|x_(E))≧N₀ ².

[0085] Alice has the estimators (x_(A),p_(A)) for the field (x_(in),p_(in)) that she sends out, so that one can write x_(in)=x_(A)+A_(x) and p_(in)=p_(A)+A_(p) with <A_(x) ²>=<A_(p) ²>=sN₀, where s is related to the amount of squeezing that may be used by Alice to generate this field, and obeys s≧V⁻¹. By calculating the correlation coefficients <p_(A) ²>=(V−s)N₀, <p_(B) ²>=G_(p)(V+χ_(p))N₀, and <p_(A)p_(B)>={square root}G_(p)<p_(A) ²>, one obtains Alice's conditional variance on Bob's measurement, V(p_(B)|p_(A))=<p_(B) ²>−|<p_(A)p_(B)>|²/<p_(A) ²>=G_(p)(s+χ_(p))N₀. This equation and the constraint s≧V⁻¹ gives finally V(p_(B)|p_(A))≧G_(p)(V⁻¹+χ_(p))N₀, and similarly V(x_(B)|x_(A))≧G_(x)(V⁻¹+χ_(x))N₀ by exchanging the roles of x and p.

[0086] Detailed Description of Sliced Reconciliation

[0087] We assume that Alice and Bob share correlated Gaussian key elements from which they wish to extract I(A; B) common bits, where A (resp. B) denotes the random variable representing one of Alice's (resp. Bob's) Gaussian key elements, described using their binary expansion. In order to deal with realistic streams of data despite the non-random phase modulation used in the current experiment, the key elements must actually be randomly permuted before processing. The reconciliation procedure^(9,22) works in the following way. Alice chooses m functions S₁(A), . . . , S_(m)(A) that map her key elements onto {0, 1}^(m). If Alice and Bob exchanged a block of n key elements A₁, . . . , A_(n), Alice thus creates m bit strings of length n, called “slices”, by applying each function S_(i) to all her key elements: S_(i)(A₁), . . . , S_(i)(A_(n)). Then Alice and Bob reconciliate each slice sequentially for i=1 . . . n. Since this comes down to reconciliating bit strings, we used an implementation¹⁹ of the binary error correction algorithm Cascade²¹. Bob, on his side, must also convert his key elements B₁, . . . , B_(n) into binary strings. To this end, he uses another set of functions R_(i), called “slice estimators”, which estimate the bits S_(i)(A) given Bob's current knowledge. Since the slices are corrected sequentially for i=1, . . . , m, Bob already knows S₁(A), . . . , S_(i−1)(A) upon correcting slice i, so that the slice estimator R_(i) is a function of B and of the previous reconciliated slices, that is R_(i)(B; S₁(A), . . . , S_(i−1)(A)). It remains to detail how the functions S_(i) are created. On the one hand, we wish to extract as many bits as possible out of A and B, but, on the other hand, any bit leaked during the binary reconciliation with Cascade does not count as a secret bit since it is publicly known. The difference between these two quantities defines the net amount of (potentially secret) reconciliated bits per key element, which can be expressed as H(S₁(A), . . . , S_(m)(A))−Σ_(i)h(e_(i)), where the first term is the entropy of the Alice's produced bits, and e_(i)=Pr[R_(i)(B;S₁(A), . . . , S_(i−1)(A))≠S_(i)(A)]. This uses the fact that, according to Shannon theory, at least n h(e) bits must be disclosed to correct a string of length n with bit error probability e, where h(x)=−x log₂ x−(1−x)log₂(1−x). Note that in practice Cascade leaks a little bit more than Shannon's formula. In the case of the current set-up, it appeared useless to reconciliate the bits beyond some precision level, so we chose to use m=5 slices as a trade-off between a satisfactory number of reconciliated bits and reasonable computing resources. We discretized the field amplitudes into 2^(m)=32 intervals, numbered from 0 to 31. What was found to work best²² is to assign the least significant bit of the interval number to S₁(A), the second least significant bit to S₂(A), and so on, up to the most significant bit to S₅(A). In other words, the reconciliation is carried out from a fine-grained level to a coarse-gained level. We then numerically optimized the interval boundaries so as to maximise the net amount of reconciliated bits. It should be stressed that the binary error correction algorithm used in this implementation, Cascade²¹, is a two-way interactive protocol, so that the information leaking to Eve should be estimated carefully. For example, in RR, Eve may gain some knowledge on Alice's value that might give her some additional information on the key (Bob's value). The same problem occurs in DR, but to a smaller extent. This additional information, which reduces the number of secret bits, must be evaluated numerically³².

[0088] Detailed Description of Privacy Amplification

[0089] Privacy amplification amounts to process the reconciliated key into a random transformation taken in a universal class of hash functions^(25,26). In this case, we chose the class of truncated linear functions in a finite field. This means we considered the reconciliated bits as coefficients of a binary polynomial in a representation of the Galois field GF(2¹¹⁰⁵⁰³) whose size allows to process up to 110503 bits at once, and hashing was achieved by first multiplying the reconciliated polynomial with a random element of the field and then extracting the desired number of least significant bits³². This operation can be implemented efficiently (see e.g.²⁷). In practice, the explicit knowledge of a prime polynomial over GF(2) is needed to perform the modular reduction, so we used the polynomial²⁸ x¹¹⁰⁵⁰³+x⁵¹⁹+1. Finally, the number of extracted bit is n H(S₁(A), . . . , S_(m)(A))−I(A;E)−r−Δ(n), where we reduced the final key size by some extra amount Δ(n), which depends on the actual number of key elements and the desired security margin. The evaluation of Δ(n), which is basically a finite size effect, will not be described here.

[0090] Evaluation of the Proposed QKD Schemes

[0091] Table 1 shows the ideal and practical secret key rates of the direct-reconciliation and reverse-reconciliation QKD protocols for several values of the line transmission G. The RR scheme is in principle efficient for any value of G, provided that the reconciliation protocol achieves the limit given by I_(BA). However, in practice, unavoidable deviations of the algorithm from Shannon's limit reduce the actual reconciled information shared by Alice and Bob, while I_(BE) is of course assumed unaffected. For high modulation (V≈40), the reconciliation efficiency lies around 80%, which makes it possible to distribute a secret key at a rate of several hundreds of kbits per second for low losses. However, the achievable reconciliation efficiency drops when the signal-to-noise ratio (SNR) decreases, so that no secret bits can be extracted when the channel gain G is too low. This can be improved by reducing the modulation variance, which increases the ratio I_(BA)/I_(BE) so the constraint on the reconciliation efficiency is less severe. Although the ideal secret key rate is then lower, we could process the data with a reconciliation efficiency of 78% for G=0.49 (3.1 dB) and V=27, resulting in a net key rate of 75 kbits/s. This clearly demonstrates that RR continuous-variable protocols operate efficiently at and beyond the 3 dB loss limit of DR protocols. We emphasize that, although we were not able to extract a key well above 3 dB in this “proof-of-principle” experiment, an increase of the reconciliation efficiency would immediately translate into a larger achievable range.

[0092] The QCV protocol can be compared with single-photon protocols on two aspects: the raw repetition frequency and the secret key rate in bits per time slot. In photon-counting QKD, the key rate is intrinsically limited by the maximum repetition frequency of the single-photon detector, typically of the order of 100 kHz, due to the lifetime of trapped charges in the semiconductor. In contrast, homodyne detection may run at frequencies of up to tens of MHz. In addition, a specific advantage of the high dimensionality of the QCV phase space is that the field quadratures can be modulated with a large dynamics, allowing the encoding of several key bits per pulse. Very high secret bit rates are therefore attainable with the coherent-state protocol when using transmission lines of low losses (up to about 3 dB in the present implementation). For high-loss transmission lines, the protocol is presently limited by the reconciliation efficiency, but its intrinsic performances remain very high. Let us consider an ideal situation where the reconciliation algorithm attains Shannon's bound and the excess noise is negligible. Then, the net key rate of the protocol is slightly above that of BB84, which yields G n_(ph)/2 secret bits per time slot for a noiseless line, where n_(ph) is the number of photons sent per time slot. Taking for instance a 67.1 km line (typical current distance for state-of-the-art single-photon QKD³⁰) with 14.3 dB loss and a reasonable modulation V=10, the protocol would ideally yield a secret key rate of 0.025 bits per time slot. Thus, assuming perfect reconciliation and a pulse repetition rate of a few MHz, the QCV protocol could achieve a secret key rate as high as 100 kbits/sec. Note, however, that I_(BA)=0.208 bits per time slot in this case, so that a reconciliation efficiency of about 90% would actually be needed in a regime of very low (around −5 dB) signal-to-noise ratio. The currently available reconciliation protocols do not reach this regime. For comparison, the secret key rate of BB84 with an ideal single-photon source and perfect detectors would be at best 0.019 bits per time slot with the same line, and even one order of magnitude smaller using attenuated light pulses with n_(ph)=0.1.

[0093] This application incorporates by reference the subject matter as was originally filed, a portion of which was excised to meet PTO publication requirements.

[0094] Although the present “proof-of-principle” setup is far from reaching these numbers, there is still a considerable margin for improvement, both in the hardware and the software. For example, working at telecom wavelengths where fast modulators are available would overcome some of the technical limitations of the present set-up. Concerning the receiver's system, increasing the detection bandwidth or the homodyne efficiency, and decreasing the electronic noise would significantly enhance the achievable range. Also, significant improvement may result from further research on reconciliation algorithms³¹. This suggests that the way is open for testing the present proposal as a practical, high bit-rate, quantum key distribution scheme over moderate distances. TABLE 1 Ideal Practical Ideal Practical G Losses RR rate RR rate DR rate DR rate V (%) (dB) (kb/s) (kbs/s) (kb/s) (kb/s) 41.7 100 0.0 1,920 1,690 1,910 1,660 38.6 79 1.0 730 470 540 270 32.3 68 1.7 510 185 190 — 27.0 49 3.1 370 75 0 — 43.7 26 5.9 85 — 0 —

[0095] Table 1 summarizes the parameters of the quantum key exchange for several values of the line transmission G (the corresponding losses are given in dB). The variations of Alice's field variance V are due to different experimental adjustments. The ideal secret key bit rates would be obtained from the measured data with perfect key distillation, yielding exactly I_(BA)−I_(BE) bits (RR) or I_(AB)−I_(AE) (DR). The practical secret key bit rates are the one achieved with the current key distillation procedure (“−” means that no secret key is generated). Both bit rates are calculated over bursts of about 60,000 pulses at 800 kHz, not taking into account the duty cycle (≈5%) in the present setup.

REFERENCES

[0096]^(1.) For a review, see for instance: Gisin, N., Ribordy, G., Tittel, W. & Zbinden H., Rev. Mod. Phys. 74, 145 (2002); see also Tittel, W., Ribordy, G. & Gisin, N, Quantum cryptography, Physics World, 41-45 (March 1998).

[0097]^(2.) Hillery, M., Quantum cryptography with squeezed states, Phys. Rev. A 61, 022309-1-022309-8 (2000).

[0098]^(3.) Ralph, T. C., Continuous variable quantum cryptography, Phys. Rev. A 61, 010303(R)-1-010303-4 (2000).

[0099]^(4.) Ralph, T. C., Security of continuous-variable quantum cryptography, Phys. Rev. A 62, 062306-1-062306-7 (2000).

[0100]^(5.) Reid, M. D., Quantum cryptography with a predetermined key, using continuous-variable Einstein-Podolsky-Rosen correlations, Phys. Rev. A 62, 062308-1-062308-6 (2000).

[0101]^(6.) Gottesman, D. & Preskill, J., Secure quantum key distribution using squeezed states, Phys. Rev. A 63, 022309-1-022309-18 (2001).

[0102]^(7.) Cerf, N. J., Lèvy, M. & Van Assche, G. Quantum distribution of gaussian keys using squeezed states, Phys. Rev. A 63, 052311-1-052311-5 (2001).

[0103]^(8.) Bencheikh, K., Symul, Th., Jankovic, A. & Levenson, J. A., Quantum key distribution with continuous variables, J. Mod. Optics 48, 1903-1920 (2001);

[0104]^(9.) Cerf, N. J., Iblisdir, S. & Van Assche, G., Cloning and cryptography with quantum continuous variables, Eur. Phys. J. D 18, 211-218 (2002).

[0105]^(10.) Silberhorn, Ch., Korolkova, N. & Leuchs, G., Quantum key distribution with bright entangled beams, Phys. Rev. Lett. 88, 167902-1-167902-4 (2002).

[0106]^(11.) Grosshans, F. & Grangier, Ph., Continuous variable quantum cryptography using coherent states, Phys. Rev. Lett. 88, 057902-1-057902-4 (2002).

[0107]^(12.) Cerf, N. J., Ipe, A. & Rottenberg, X., Cloning of continuous variables, Phys. Rev. Lett. 85, 1754-1757 (2000).

[0108]^(13.) Cerf, N. J. & Iblisdir, S, Optimal N-to-M cloning of conjugate quantum variables, Phys. Rev. A 62, 040301(R)-1-040301-3 (2000).

[0109]^(14.) Grosshans, F. & Grangier, Ph, Quantum cloning and teleportation criteria for continuous quantum variables, Phys. Rev. A 64, 010301(R)-1-010301-4 (2001). ^(15.) Duan, L.-M., Giedke, G., Cirac, J. I. & Zoller, P., Entanglement purification of gaussian continuous variable quantum states, Phys. Rev. Lett. 84, 4002-4005 (2000).

[0110]^(16.) Poizat, J. Ph., Roch, J.-F. & Grangier, P., Characterization on quantum non-demolition measurements in optics, Ann. Phys. (Paris) 19, 265-297 (1994).

[0111]^(17.) Grangier, Ph., Levenson, J. A. & Poizat, J.-Ph., Quantum non-demolition measurements in optics, Nature 396, 537-542 (1998).

[0112]^(18.) Grosshans, F. & Grangier, Ph., Reverse reconciliation protocols for quantum cryptography with continuous variables, E-print arXiv:quant-ph/0204127-1-0204127-5 (April 2002).

[0113]^(19.) Nguyen, K., Extension des Protocoles de Réconciliation en Cryptographie Quantique, Master Thesis, (Université Libre de Bruxelles, Bruxelles, 2002).

[0114]^(20.) Bennett, C. H. & Brassard, G., Quantum key distribution and coin tossing, Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India, 175-179 (IEEE, New York, 1984).

[0115]^(21.) Brassard, G. & Salvail, L., Secret-key reconciliation by public discussion, Advances in Cryptology—Eurocrypt'93, Lecture Notes in Computer Science, 411-423 (Springer-Verlag, New York, 1993).

[0116]^(22.) Van Assche, G., Cardinal, J. & Cerf, N. J., Reconciliation of a quantum-distributed Gaussian key, E-print arXiv:cs.CR/0107030 (2001).

[0117]^(23.) Maurer, U. M. & Wolf, S., Information theoretic key agreement: from weak to strong secrecy for free, Advances in Cryptology—Eurocrypt 2000, Lecture Notes in Computer Science, 351-368 (Springer-Verlag, New York, 2000).

[0118]^(24.) Maurer, U. M., Secret key agreement by public discussion from common information, IEEE Trans. Inform. Theory 39, 733-742 (1993).

[0119]²⁵. Bennett, C. H., Brassard, G., Crepeau, C. & Maurer, U. M., Generalized privacy amplification, IEEE Trans. on Inform. Theory 41, 1915-1935 (1995).

[0120]^(26.) Carter, J. L. & Wegman, M. N., Universal Classes of Hash Functions, J. of Comp. and Syst. Sci. 18, 143-154 (1979).

[0121]^(27.) Schönhage, A., Schnelle Multiplikation von Polynomen über Körpern der Charakteristik 2, Acta Informatica 7, 395-398 (1977).

[0122]^(28.) Brent, R. P., Larvala, S. & Zimmermann, P., A fast algorithm for testing irreductibility of trinomials mod 2, Tech. Rep., Oxford University Computing Laboratory, 1-16 (2000).

[0123]^(29.) Braunstein, S. L. & Pati, A. K., Quantum information theory with continuous variables, Kluwer Academic, Dordrecht, 2003.

[0124]^(30.) Stucki, D., Gisin, N., Guinnard, O., Ribordy, G. & Zbinden H., Quantum Key Distribution over 67 km with a plug & play system, E-print arXiv:quant-ph/0203118 (2002).

[0125]^(31.) Buttler, W. T., Lamoreaux, S. K., Torgerson, J. R., Nickel, G. H. & Peterson, C. G., Fast, efficient error reconciliation for quantum cryptography. E-print arXiv:quant-ph/0203096 (2002).

[0126]^(32.) Grosshans F., Van Assche G., Wenger J., Brouri R., Cerf N. J. & Grangier Ph., Quantum key distribution using gaussian-modulated coherent states, Nature 421, 238-241 (2003). 

1. A quantum cryptographic system comprising: at least one sending unit comprising and encoder and distributing a raw key in the quadrature components of quantum coherent states that are continuously modulated in phase and amplitude; at least one receiving unit comprising a homodyne detector of the quantum coherent states in order to measure the quadrature components of the states; a quantum channel for connecting the sending unit to the receiving unit; and a two-way authenticated public channel for transmitting non-secret messages between the sending unit and the receiving unit.
 2. The quantum cryptographic system of claim 1, further comprising a continuous-variable quantum key distribution protocol ensuring that the amount of information a potential eavesdropper may gain at most on the sent and received data can be estimated from the measured parameters of the quantum channel (error rate and line attenuation).
 3. The quantum cryptographic system of claim 2, wherein the sent and received raw data resulting from the continuous-variable protocol are converted into a secret binary key by using a continuous reconciliation protocol supplemented with privacy amplification.
 4. The quantum cryptographic system of claim 1, wherein the encoder of the quadrature components with a high signal-to-noise ratio encodes several key bits per coherent light pulse.
 5. The quantum cryptographic system of claim 1, wherein the decoding of the quadrature components of the light field via the homodyne detector achieves high secret bit rates in comparison to photon-counting techniques.
 6. The quantum cryptographic system of claim 3, wherein the continuous reconciliation protocol is a direct reconciliation protocol, which allows the receiver to discretize and correct its data according to the sent values, in case of noisy quantum channels with low losses.
 7. The quantum cryptographic system of claim 3, wherein the continuous reconciliation protocol is a reverse reconciliation protocol, which allows the sending unit to discretize and correct its data according to the values measured by the receiver, in case of quantum channels with an attenuation that exceeds 3 dB.
 8. The quantum cryptographic system of claim 3, wherein the secret key is used as a private key for ensuring confidentiality and authentication of a cryptographic transmission.
 9. The quantum cryptographic system of claim 1, wherein the quadrature components of the quantum coherent states are modulated with a Gaussian distribution.
 10. The quantum cryptographic system of claim 9, wherein the co-ordinate values of the center of the Gaussian distribution are arbitrary.
 11. The quantum cryptographic system of claim 9, wherein the variance of the Gaussian distribution for the quadrature X is different from the variance of the Gaussian distribution for the conjugate quadrature P.
 12. The quantum cryptographic system of claim 9, wherein the Gaussian-modulated coherent sates are attenuated laser light pulses typically containing several photons.
 13. The quantum cryptographic system of claim 12, wherein the information an eavesdropper may gain on the sent and received Gaussian-distributed values are calculated explicitly using Shannon's theory for Gaussian channels.
 14. A method of distributing continuous quantum key between two parties which are a sender and a receiver, the method comprising: selecting, at a sender, two random numbers x_(A) and p_(A) from a Gaussian distribution of mean zero and variance V_(A)N₀, where N₀ refers to the shot-noise variance; sending a corresponding coherent state |x_(A)+ip_(A)> in the quantum channel; randomly choosing, at a receiver, to measure either quadrature x or p using homodyne detection; informing the sender about the quadrature that was measured so the sender may discard the wrong one; measuring channel parameters on a random subset of the sender's and receiver's data, in order to evaluate the maximum information acquired by an eavesdropper; and converting the resulting raw key in the form of a set of correlated Gaussian variables into a binary secret key comprising direct or reverse reconciliation in order to correct the errors and get a binary key, and privacy amplification in order to make secret the binary key.
 15. The method of claim 14, wherein the reconciliation produces a common bit string from correlated continuous data, which comprises the following: transforming each Gaussian key element of a block of size n by the sender into a string of m bits, giving m bit strings of length n, referred to as slices; converting, by the receiver, the measured key elements into binary strings by using a set of slice estimators; and sequentially reconciliating the slices by using an implementation of a binary error correction algorithm, and communicating on the public authenticated channel.
 16. The method of claim 14, wherein the post-processing of privacy amplification comprises distilling a secret key out of the reconciliated key by use of a random transformation taken in a universal class of hash functions.
 17. A device for implementing a continuous-variable quantum key exchange, the device comprising: a light source or a source of electromagnetic signals configured to generate short quantum coherent pulses at a high repetition rate; an optical component configured to modulate the amplitude and phase of the pulses at a high frequency; a quantum channel configured to transmit the pulses from an emitter to a receiver; a system that permits the transmission of a local oscillator from the emitter to the receiver; a homodyne detector capable of measuring, at a high acquisition frequency, any quadrature component of the electromagnetic field collected at the receiver's station; a two-way authenticated public channel that is used to communicating non-secret messages in postprocessing protocols; and a computer at the emitter's and receiver's stations that drives or reads the optical components and runs the postprocessing protocols.
 18. The device of claim 17, wherein a local oscillator is transmitted together with the signal by use of a polarization encoding system whereby each pulse comprises a strong local oscillator pulse and a weak orthogonally-polarized signal pulse with modulated amplitude and phase.
 19. The device of claim 18, wherein if polarization encoding is used, the receiving system relies on polarization-mode homodyne detection requiring a quarter-wave plate and a polarizing beam splitter.
 20. A device for exchanging Gaussian key elements between two parties which are a sender and a receiver, the device comprising: a laser diode associated with a grating-extended external cavity, the laser diode configured to send light pulses at a high repetition rate, each pulse typically containing several photons; an integrated electro-optic amplitude modulator and a piezoelectric phase modulator, configured to generate randomly-modulated light pulses, the data being organized in bursts of pulses; a beam-splitter to separate the quantum signal from a local oscillator; and a homodyne detector combining the quantum signal and local oscillator pulses in order to measure one of the two quadrature components of the light field.
 21. The device of claim 20, further comprising an acquisition board and a computer on the sender's and receiver's sides in order to run the post-processing protocols.
 22. The device of claim 20, wherein the laser operates at a wavelength comprised between about 700 and about 1600 nm.
 23. The device of claim 20, wherein the laser operates at a wavelength comprising telecom wavelengths between about 1540 and about 1580 nm.
 24. The method of claim 14, wherein informing the sender comprises utilizing a public authenticated channel by the receiver to inform the sender.
 25. The method of claim 14, wherein the channel parameters include an error rate and a line attenuation.
 26. The device of claim 17, additional comprising: means for selecting, at the emitter, two random numbers x_(A) and p_(A) from a Gaussian distribution of mean zero and variance V_(A)N₀, where N₀ refers to the shot-noise variance; means for sending a corresponding coherent state |x_(A)+ip_(A)> in the quantum channel; means for randomly choosing, at the receiver, to measure either quadrature x or p using homodyne detection; means for informing the emitter about the quadrature that was measured so the emitter may discard the wrong one; means for measuring channel parameters on a random subset of the emitter's and receiver's data, in order to evaluate the maximum information acquired by an eavesdropper; and means for converting the resulting raw key in the form of a set of correlated Gaussian variables into a binary secret key comprising direct or reverse reconciliation in order to correct the errors and get a binary key, and privacy amplification in order to make secret the binary key. 